Security Posture Assessment

1. Do all workstations and servers have EDR (Endpoint Detection and Response) installed?

2. Are all operating systems and applications patched within 30 days of critical updates?

3. Is multi-factor authentication (MFA) enforced on all remote access and admin accounts?

4. Do you follow least-privilege access principles with regular access reviews?

5. Are passwords required to be at least 14 characters or managed via a password manager?

6. Is your network segmented to separate sensitive systems from general user traffic?

7. Are firewall rules reviewed and updated at least annually?

8. Is encrypted DNS and web filtering in place to block malicious domains?

9. Do you have advanced email security (beyond basic spam filtering) with attachment sandboxing?

10. Are DMARC, DKIM, and SPF configured to prevent email spoofing of your domain?

11. Is sensitive data encrypted at rest and in transit (AES-256, TLS 1.2+)?

12. Are backups performed daily with at least one immutable or air-gapped copy?

13. Have backup restores been tested in the last 90 days?

14. Do you have 24/7 security monitoring (internal SOC or MDR provider)?

15. Are security logs centralized and retained for at least 12 months?

16. Do you have a documented incident response plan?

17. Has the IR plan been tested (tabletop exercise) in the last 12 months?

18. Do all employees receive security awareness training at least annually?

19. Are simulated phishing campaigns conducted at least quarterly?

20. Have you completed a formal risk assessment in the last 12 months?